[Samba] Questions on Samba and LDAP failover
Michael Adam
obnox at samba.org
Fri Mar 26 06:15:12 MDT 2010
Gary Peck wrote:
> I have actually tired that and could not get that to work. At least it
> does not work on the version of samba that is bundled with Solaris 10
> (3.0.37).
>
> passdb backend = ldap:"ldap://ldap1.example.com ldap://ldap2.example.com"
> --- This causes a core dump
oh, i mis-spelled ldap: instead of ldapsam:
> passdb backend = ldapsam:"ldap://ldap1.example.com
> ldap://ldap2.example.com" smbpasswd username fails connecting to primary
> ldap server and just errors out.
Hmm, what ldap library are you using? reading from the smb.conf
manpage:
>>>>> - ldapsam - The LDAP based passdb backend. Takes an LDAP URL as an optional argument (defaults to
>>>>> ldap://localhost)
>>>>>
>>>>> LDAP connections should be secured where possible. This may be done using either Start-TLS (see
>>>>> ldap ssl) or by specifying ldaps:// in the URL argument.
>>>>>
>>>>> Multiple servers may also be specified in double-quotes. Whether multiple servers are supported
>>>>> or not and the exact syntax depends on the LDAP library you use.
>>>>>
>>>>> Examples of use are:
>>>>>
>>>>> passdb backend = tdbsam:/etc/samba/private/passdb.tdb
>>>>>
>>>>> or multi server LDAP URL with OpenLDAP library:
>>>>>
>>>>> passdb backend = ldapsam:"ldap://ldap-1.example.com ldap://ldap-2.example.com"
>>>>>
>>>>> or multi server LDAP URL with Netscape based LDAP library:
>>>>>
>>>>> passdb backend = ldapsam:"ldap://ldap-1.example.com ldap-2.example.com"
So it depends on your LDAP client library and the example I gave you is valid
for openLDAP, possibly not for yours, if it supports multiple servers at all.
You could try the second syntax ldapsam:"ldap://ldap-1.example.com ldap-2.example.com".
The bottom line is that the string between the quotes has to be a valid string
accepted by the ldap init routine of your library...
Cheers - Michael
> It seems to be the 3.0.22 release that I remember seeing a not that ldap
> failover was deprecated for some reason. The only way I have been able
> to get any type of failover is setting up a DNS entry to round robin
> between two Sun DS7 multimaster directory servers.
>
> Thanks,
>
> Gary
>
> On 3/25/2010 3:16 PM, Michael Adam wrote:
> >Hi Gary,
> >
> >Gary Peck wrote:
> >
> >>After trying multiple options in the smb.conf file the only way I could
> >>get fail over to work was having two ldap servers setup in a multimaster
> >>replication and having a DNS entry setup that round robins between the
> >>two. Everything seems to work, I can bring down one ldap server and
> >>samba will still authenticate and let users in. Anybody know of any
> >>issues doing it this way?
> >>
> >>Thanks,
> >>
> >>Gary
> >>
> >>
> >>>If I have read the documentation correctly, it looks like you can not
> >>>have a fail over LDAP server defined in the smb.conf file for the passdb
> >>>backend. It looks like this feature was taken away in an earlier
> >>>release. Is this correct? If not could somebody steer me in the right
> >>>direction.
> >>>
> >Is the question how to specify multiple ldap servers in smb.conf?
> >If so, here is the answer:
> >
> > passdb backend = ldap:"ldap://ldap1.example.com
> > ldap://ldap2.example.com"
> >
> >I.e. put a spaces separated list of ldap urls into quotes.
> >
> >If that was not your question, please clarify.
> >
> >Cheers - Michael
> >
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 206 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba/attachments/20100326/abd070f7/attachment.pgp>
More information about the samba
mailing list